Overview

overview

5

Static

static

3

EzExtractSetup.exe

windows10-2004-x64

4

EzExtractSetup.exe

windows11-21h2-x64

4

$PLUGINSDIR/INetC.dll

windows10-2004-x64

3

$PLUGINSDIR/INetC.dll

windows11-21h2-x64

3

$PLUGINSDI...in.dll

windows10-2004-x64

3

$PLUGINSDI...in.dll

windows11-21h2-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows11-21h2-x64

3

$PLUGINSDI...st.exe

windows10-2004-x64

4

$PLUGINSDI...st.exe

windows11-21h2-x64

4

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows11-21h2-x64

3

GoogleUpdateSetup.exe

windows10-2004-x64

4

GoogleUpdateSetup.exe

windows11-21h2-x64

4

$PLUGINSDI...gs.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows11-21h2-x64

3

EzExtractP...ll.dll

windows10-2004-x64

1

EzExtractP...ll.dll

windows11-21h2-x64

1

EzExtractProShell.dll

windows10-2004-x64

5

EzExtractProShell.dll

windows11-21h2-x64

5

EzExtractP...32.dll

windows10-2004-x64

3

EzExtractP...32.dll

windows11-21h2-x64

3

Analysis

  • max time kernel
    147s
  • max time network
    152s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    01-10-2024 11:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    $PLUGINSDIR/gcinst.exe

  • Size

    1.3MB

  • MD5

    6ec7094e0756a6698b33e1420fa614d1

  • SHA1

    717a3065334c0851d908d3a9c03e9fe98f577914

  • SHA256

    5690d7de821e2d10210b6ae5f9a490934bc77a3005ee72c56eed00fea63bf4ce

  • SHA512

    785be9a41b37265071eaf5d2fe5a9c5a7c780764eae33ede2d71099d527e1b17068951a758588a57e1b29a2a898196613c5751bc380b94fcf8cb84b8bc90f84c

  • SSDEEP

    24576:kUZGvjjCcQiydy+2cB3Q3gmsSHXd34cyE7jQ9gHKM8OHdp:xUPCcQjx2cB3Q3zFjQ9aKM8cdp

Score
4/10
discoveryevasiontrojan

Malware Config

Signatures

  • Drops file in Program Files directory 1 IoCs
  • Drops file in Windows directory 64 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\gcinst.exe
    "C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\gcinst.exe"
    1⤵
    • Drops file in Program Files directory
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1656
    • C:\Program Files (x86)\Google\GoogleUpdateSetup.exe
      GoogleUpdateSetup.exe /silent /alwayslaunchcmd /install "appguid={8A69D345-D564-463c-AFF1-A69D9E530F96}&appname=Google%20Chrome&needsadmin=True&brand=PNABB" /appargs "appguid={8A69D345-D564-463c-AFF1-A69D9E530F96}&installerdata=%7B%22distribution%22%3A%7B%22suppress_first_run_bubble%22%3Atrue%2C%22do_not_launch_chrome%22%3Atrue%2C%22make_chrome_default%22%3Atrue%7D%2C%22sync_promo%22%3A%7B%22show_on_first_run_allowed%22%3Afalse%7D%2C%22first_run_tabs%22%3A%5B%22chrome%3A%2F%2Fwelcome%22%2C%22https%3A%2F%2Fwww.google.com%22%5D%2C%22session%22%3A%7B%22restore_on_startup%22%3A4%2C%22startup_urls%22%3A%5B%22https%3A%2F%2Fwww.google.com%2F%22%5D%2C%22restore_on_startup_migrated%22%3Atrue%7D%7D"
      2⤵
      • Drops file in Windows directory
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2532
      • C:\Windows\SystemTemp\GUM926D.tmp\GoogleUpdate.exe
        C:\Windows\SystemTemp\GUM926D.tmp\GoogleUpdate.exe /silent /alwayslaunchcmd /install "appguid={8A69D345-D564-463c-AFF1-A69D9E530F96}&appname=Google%20Chrome&needsadmin=True&brand=PNABB" /appargs "appguid={8A69D345-D564-463c-AFF1-A69D9E530F96}&installerdata=%7B%22distribution%22%3A%7B%22suppress_first_run_bubble%22%3Atrue%2C%22do_not_launch_chrome%22%3Atrue%2C%22make_chrome_default%22%3Atrue%7D%2C%22sync_promo%22%3A%7B%22show_on_first_run_allowed%22%3Afalse%7D%2C%22first_run_tabs%22%3A%5B%22chrome%3A%2F%2Fwelcome%22%2C%22https%3A%2F%2Fwww.google.com%22%5D%2C%22session%22%3A%7B%22restore_on_startup%22%3A4%2C%22startup_urls%22%3A%5B%22https%3A%2F%2Fwww.google.com%2F%22%5D%2C%22restore_on_startup_migrated%22%3Atrue%7D%7D"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks whether UAC is enabled
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1708

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Google\GoogleUpdateSetup.exe
    Filesize

    1.3MB

    MD5

    88a857cb7ca6702ab812666b4c88dfe9

    SHA1

    6f97409352d52db138f3637bb5d5a6478e7de4d6

    SHA256

    027299ea8dfa96e0e59794c59abfd562e2f675e8b8b9a84028da8c58c58d243f

    SHA512

    6f3fc98f11286823db68d45709b845f14679fad1f64cdc0f0c3ef029c486fa551e57ca22d60ad902a865fbc0b246751b4d97edeffd1ef04a0ad190e71da2b6c1

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsk922F.tmp\System.dll
    Filesize

    11KB

    MD5

    fbe295e5a1acfbd0a6271898f885fe6a

    SHA1

    d6d205922e61635472efb13c2bb92c9ac6cb96da

    SHA256

    a1390a78533c47e55cc364e97af431117126d04a7faed49390210ea3e89dd0e1

    SHA512

    2cb596971e504eaf1ce8e3f09719ebfb3f6234cea5ca7b0d33ec7500832ff4b97ec2bbe15a1fbf7e6a5b02c59db824092b9562cd8991f4d027feab6fd3177b06

    Download Submit

  • C:\Windows\SystemTemp\GUM926D.tmp\GoogleUpdate.exe
    Filesize

    158KB

    MD5

    baf0b64af9fceab44942506f3af21c87

    SHA1

    e78fb7c2db9c1b1f9949f4fcd4b23596c1372e05

    SHA256

    581edeca339bb8c5ebc1d0193ad77f5cafa329c5a9adf8f5299b1afabed6623b

    SHA512

    ee590e4d5ccdd1ab6131e19806ffd0c12731dd12cf7bfb562dd8f5896d84a88eb7901c6196c85a0b7d60aee28f8cfbba62f8438d501eabd1bb01ec0b4f8d8004

    Download Submit

  • C:\Windows\SystemTemp\GUM926D.tmp\goopdate.dll
    Filesize

    1.9MB

    MD5

    9a7cd2cc8647d6052da0413a95777398

    SHA1

    3169d711b1e022af7912ca2a968be5fcaac04d23

    SHA256

    3244dd164b91b1db785b84438d54ea69051bc9e2a21bf523bd09bbe1005c3307

    SHA512

    64bf0ec909e33ad699c9c5d261dc739400db327b070e9faa19dfa12c637ad6d47e09126b262a04e7562c8939b6596e90b3353d27d7e1dc1eb2be5c9e6b462e6d

    Download Submit

  • C:\Windows\SystemTemp\GUM926D.tmp\goopdateres_en.dll
    Filesize

    42KB

    MD5

    48f2d63b85468b3d9f6f5c99d2e20d87

    SHA1

    7fbe2e04a723473c9ed0090afd9ea279f03226a1

    SHA256

    713cd0392fd4a096560be8dcf5757adc6e02d919742a8ad7b4b0856e2ba53534

    SHA512

    815d55d0f6dd514134446f442b8972531c4dba6857b979ede7d5dc537c85eb027b3ca1c7f560aef90177a98e6a19661b937f06f1f209f19e8a2676271898afe1

    Download Submit